Date: Tue, 12 Jun 2018 16:54:37 +0200 From: =?UTF-8?Q?Olivier_Cochard=2DLabb=C3=A9?= <olivier@freebsd.org> To: Patrick Lamaiziere <patfbsd@davenulle.org> Cc: freebsd-net@freebsd.org Subject: Re: 11.2-RC1 setkey invalid spi ? Message-ID: <CA%2Bq%2BTco%2BZ6E1r_rcQfVMzFuQtKHjpFE52Ub6ch9WDJHfBDEUFA@mail.gmail.com> In-Reply-To: <20180612160116.58df4001@mr185083> References: <20180612143447.697681c5@mr185083> <20180612160116.58df4001@mr185083>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, Jun 12, 2018 at 4:02 PM Patrick Lamaiziere <patfbsd@davenulle.org>
wrote:
> Le Tue, 12 Jun 2018 14:34:47 +0200,
> Patrick Lamaiziere <patfbsd@davenulle.org> a =C3=A9crit :
>
> Hello
>
=E2=80=8BHi Patrick,
=E2=80=8B
>
> Well I can reproduce this problem by using setkey(8) :
>
> /etc/ipsec.conf
> add 129.20.128.78 129.20.128.149 tcp 0x1000 -A tcp-md5 "secret";
> add 129.20.128.149 129.20.128.78 tcp 0x1000 -A tcp-md5 "secret";
>
>
>
=E2=80=8B
You can't no more use the same SPI for these 2 entries (cf the TCP MD5
examples into the setkey man page):
Use TCP MD5 between two numerically specified hosts:
add 10.1.10.34 10.1.10.36 tcp 0x1000 -A tcp-md5 "TCP-MD5 BGP
secret" ;
add 10.1.10.36 10.1.10.34 tcp 0x1001 -A tcp-md5 "TCP-MD5 BGP
secret" ;
=E2=80=8BRegards,
Olivier=E2=80=8B
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CA%2Bq%2BTco%2BZ6E1r_rcQfVMzFuQtKHjpFE52Ub6ch9WDJHfBDEUFA>